Time to overcome the reluctance to Active Directory

Back in the day (back before there was broadband, son), telecommuting meant connecting from home to the office by dialing in over a modem to one of possibly, a bank of modems in the telecomm room at your workplace. Typically, this was accomplished at bit rates of 1200 or 2400 baud. As more and more people attempted to dial-in to the network and as directory-based authentication began to be seen in small and midsize businesses, a new protocol and standard was developed: the Remote Authentication Dial-In User Service.

Nowadays we rarely dial-in directly to the office, instead choosing to connect over the public IP network. But RADIUS servers (most people ignore that “Dial-In User” part of the name) are still going strong. Last spring, in the Identity Management newsletter, I introduced Infoblox’ RADIUS One device (see link below), a drop-in RADIUS appliance for your network which could increase security by having remote users authenticate to your directory before accessing the network. It has a quick and clean installation that network managers should like.

Infoblox co-founder and CTO Stuart Bailey called the other day to tell me that Version 1.1 was now shipping. When I asked what had changed he replied that it now supported Active Directory (AD) directly whereas Version 1.0 used the Lightweight Directory Access Protocol (LDAP) interface. I didn’t think much of that, but Bailey explained that they were running into opposition from Windows network managers (his customers tend to be the security managers) who were reluctant to let anything use the LDAP interface to AD.

During beta tests of the new version, though, Infoblox still found that IT departments were resisting its efforts, even though RADIUS One now speaks directly to AD. It seems that the directory “guardians” were extremely reluctant to make the schema changes necessary to support a RADIUS server (not just the Infoblox one, but any RADIUS server).

Bailey and his crew are managing to get around this stubbornness by showing the security people how to configure Active Directory/Application Mode (ADAM) to support RADIUS One while linking back to the enterprise AD installation for identity info. This seems to work fine, although the Windows network honchos are still grumbling.  What is the problem?

Microsoft has admitted that Windows 2000 Server was slow to be adopted because of AD. It spent a lot of time and money showing you how to install Win2K without using AD. Even after reluctantly installing Win 2000 with AD, many network bosses are dragging their feet as much as they can about simple schema extensions. To combat this reluctance, Windows Server 2003 introduced ADAM, allowing service and application vendors – the ones that understand the benefits of a powerful directory – to, essentially, bypass the network manager bottleneck.

Twenty years ago, the MIS “men in white coats” tried to block desktop PCs from the workplace. They didn’t succeed. Trying to block directory services will fail just as miserably. Vendors like Infoblox, in cooperation with users (and that includes executive suite users) in your organization will find ways to bypass your obstructionism. If any of you are still in the mode of blocking your organization from fully using the power of AD, it’s time to either adapt or get out of the way.